high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Included in our products from | December 2004 (3.88) |
| Protection available since | 8 November 2004 15:32:06 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Please read the instructions for removing W32/Bofra-A
More Information
W32/Bofra-A is a Worm for the Windows platform that arrives via email.
The body of the email will try to entice the user to click on a hyperlink to look at webcam images or to visit an adult website.
W32/Bofra-A attempts to harvest email addresses from the Outlook address book and from other files on the infected machine.
W32/Bofra-A will not harvest addresses containing the following strings:
avp, syma, icrosof, msn., hotmail, panda, sopho, borlan, inpris, example, mydomai, nodomai, ruslis, .gov, gov., .mil, foo., root, info, samples, postmaster, webmaster, noone, nobody, nothing, anyone, someone, your, you, me, bugs, rating, site, contact, soft, no, somebody, privacy, service, help, not, submit, feste, ca, gold-certs, the.bat, page, spm, spam, www, secur, abuse, admin, icrosoft, support, ntivi, unix, bsd, linux, listserv, certific, google, accoun, berkeley, unix, math, bsd, mit.e, gnu, fsf., ibm.com, google, kernel, linux, fido, usenet, iana, ietf, rfc-ed, sendmail, arin., ripe., isi.e, isc.o, secur, acketst, pgp, tanford.e, utgers.ed, mozilla
W32/Bofra-A will use its own SMTP engine to send emails to these harvested addresses, enticing the recipient to click on a hyperlink which downloads the worm from the host infected machine.
The email distributed by W32/Bofra-A creates fake email headers to pretend it was created by a number of different legitimate email clients and also that it has been checked for viruses. The email itself has the following characteristics:
FROM: This field will be one entry from the following list
Becky
joanna
KETTY
jane
sindy
SUBJECT: This field will be one entry from the following list
hey!
Hello
funny photos :)
BODY: This field will be one entry from the following list
FREE ADULT VIDEO! SIGN UP NOW!
Look at my homepage with my last webcam photos
W32/Bofra-A also contains IRC backdoor Trojan functionality and may download and execute files from remote website to files with random filenames in the Windows system folder if instructed to do so.
W32/Bofra-A will not run on dates past December 15th.
Further information:
How does the Bofra worm infect your PC?
Bofra worms spread via unpatched Internet Explorer security hole
W32/Bofra-A is a mass-mailing Worm for the Windows platform.
W32/Bofra-A tries to copy itself either to the Windows system folder or to the Temp folder, copying itself to a filename comprising of between 2 and 8 random characters followed by 32.EXE (eg EOFJNF32.EXE). W32/Bofra-A then creates an entry in the registry at one of the following locations so as to be run on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Rhino
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Rhino
W32/Bofra-A attempts to harvest email addresses from the Outlook address book and from files with the following extensions:
TXT, HTMB, SHTL, PHPQ, ASPD, DBXN, TBBG, ADBH, PL, WAB
W32/Bofra-A will not harvest addresses containing the following strings:
avp, syma, icrosof, msn., hotmail, panda, sopho, borlan, inpris, example, mydomai, nodomai, ruslis, .gov, gov., .mil, foo., root, info, samples, postmaster, webmaster, noone, nobody, nothing, anyone, someone, your, you, me, bugs, rating, site, contact, soft, no, somebody, privacy, service, help, not, submit, feste, ca, gold-certs, the.bat, page, spm, spam, www, secur, abuse, admin, icrosoft, support, ntivi, unix, bsd, linux, listserv, certific, google, accoun, berkeley, unix, math, bsd, mit.e, gnu, fsf., ibm.com, google, kernel, linux, fido, usenet, iana, ietf, rfc-ed, sendmail, arin., ripe., isi.e, isc.o, secur, acketst, pgp, tanford.e, utgers.ed, mozilla
W32/Bofra-A will use its own SMTP engine to send emails to these harvested addresses, enticing the recipient to click on a hyperlink. This link makes use of an exploit in Internet Explorer to download W32/Bofra-A from the infected machine, saving the infected file to the Desktop with the filename OLESERVER.EXE. The download will take place without any notification from Windows. In order to allow this download to take place the infected machine listens on ports higher than 1639 for download requests.
The email distributed by W32/Bofra-A creates fake email headers to pretend it was created by a number of different legitimate email clients and also that it has been checked for viruses. The email itself has the following characteristics:
FROM: This field will be one entry from the following list
Becky
joanna
KETTY
jane
sindy
SUBJECT: This field will be one entry from the following list
hey!
Hello
funny photos :)
BODY: This field will be one entry from the following list
FREE ADULT VIDEO! SIGN UP NOW!
Look at my homepage with my last webcam photos
W32/Bofra-A also contains IRC backdoor Trojan functionality and may download and execute files from remote website to files with random filenames in the Windows system folder if instructed to do so.
W32/Bofra-A attempts to delete the following registry entries to prevent files created by other variants of the worm from running on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
center
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
reactor
W32/Bofra-A attempts to inject itself into Explorer in order to make it more difficult to be removed.
W32/Bofra-A will not run on dates past December 15th.
Further information:
How does the Bofra worm infect your PC?
Bofra worms spread via unpatched Internet Explorer security hole
|
